---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cilium-operator
  namespace: kube-system
  labels:
    io.cilium/app: operator
    name: cilium-operator
spec:
{% if groups.k8s_cluster | length == 1 %}
  replicas: 1
{% else %}
  replicas: {{ cilium_operator_replicas }}
{% endif %}
  selector:
    matchLabels:
      io.cilium/app: operator
      name: cilium-operator
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
{% if cilium_enable_prometheus %}
      annotations:
        prometheus.io/port: "{{ cilium_operator_scrape_port }}"
        prometheus.io/scrape: "true"
{% endif %}
      labels:
        io.cilium/app: operator
        name: cilium-operator
    spec:
      containers:
        - name: cilium-operator
          image: "{{ cilium_operator_image_repo }}:{{ cilium_operator_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          command:
            - cilium-operator
          args:
            - --config-dir=/tmp/cilium/config-map
            - --debug=$(CILIUM_DEBUG)
{% if cilium_operator_custom_args is string %}
            - {{ cilium_operator_custom_args }}
{% else %}
{% for flag in cilium_operator_custom_args %}
            - {{ flag }}
{% endfor %}
{% endif %}
          env:
            - name: K8S_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
            - name: CILIUM_K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: CILIUM_DEBUG
              valueFrom:
                configMapKeyRef:
                  key: debug
                  name: cilium-config
                  optional: true
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: cilium-aws
                  key: AWS_ACCESS_KEY_ID
                  optional: true
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: cilium-aws
                  key: AWS_SECRET_ACCESS_KEY
                  optional: true
            - name: AWS_DEFAULT_REGION
              valueFrom:
                secretKeyRef:
                  name: cilium-aws
                  key: AWS_DEFAULT_REGION
                  optional: true
{% if cilium_kube_proxy_replacement == 'strict' %}
            - name: KUBERNETES_SERVICE_HOST
              value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
            - name: KUBERNETES_SERVICE_PORT
              value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
{% endif %}
{% if cilium_enable_prometheus %}
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
          ports:
            - name: prometheus
              containerPort: {{ cilium_operator_scrape_port }}
              hostPort: {{ cilium_operator_scrape_port }}
              protocol: TCP
{% endif %}
          livenessProbe:
            httpGet:
{% if cilium_enable_ipv4 %}
              host: 127.0.0.1
{% else %}
              host: '::1'
{% endif %}
              path: /healthz
              port: 9234
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 3
          volumeMounts:
            - name: cilium-config-path
              mountPath: /tmp/cilium/config-map
              readOnly: true
{% if cilium_identity_allocation_mode == "kvstore" %}
            - name: etcd-config-path
              mountPath: /var/lib/etcd-config
              readOnly: true
            - name: etcd-secrets
              mountPath: "{{ cilium_cert_dir }}"
              readOnly: true
{% endif %}
{% for volume_mount in cilium_operator_extra_volume_mounts %}
            - {{ volume_mount | to_nice_yaml(indent=2) | indent(14) }}
{% endfor %}
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      restartPolicy: Always
      priorityClassName: system-node-critical
      serviceAccount: cilium-operator
      serviceAccountName: cilium-operator
      # In HA mode, cilium-operator pods must not be scheduled on the same
      # node as they will clash with each other.
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - topologyKey: kubernetes.io/hostname
            labelSelector:
              matchLabels:
                io.cilium/app: operator
      tolerations:
        - operator: Exists
      volumes:
        - name: cilium-config-path
          configMap:
            name: cilium-config
{% if cilium_identity_allocation_mode == "kvstore" %}
        # To read the etcd config stored in config maps
        - name: etcd-config-path
          configMap:
            name: cilium-config
            defaultMode: 420
            items:
              - key: etcd-config
                path: etcd.config
          # To read the k8s etcd secrets in case the user might want to use TLS
        - name: etcd-secrets
          hostPath:
            path: "{{ cilium_cert_dir }}"
{% endif %}
{% for volume in cilium_operator_extra_volumes %}
        - {{ volume | to_nice_yaml(indent=2) | indent(10) }}
{% endfor %}
